Date: Sun, 26 Nov 2017 15:37:49 -0500 From: Leo Famulari <leo@...ulari.name> To: oss-security@...ts.openwall.com Subject: Re: RCE in Exim reported On Sat, Nov 25, 2017 at 06:50:31PM -0500, Phil Pennock wrote: > bugs.exim.org/2199 : > Use-after-free remote-code-execution > CVE-2017-16943 > > bugs.exim.org/2201 : > stack-exhaustion remote DoS > CVE-2017-16944 > > Fix for the former has been confirmed by the reporter and is in git. > > The `exim-4_89+fixes` branch used by various OS packagers for major > bug-fixes on top of the 4.89 release has the UAF fix backported. Work > on the DoS is under way. > > https://git.exim.org/exim.git/shortlog/refs/heads/exim-4_89+fixes FYI, clicking on the commits from this page just gives the error message: 400 - Invalid hash parameter But the commit in question can be viewed here: https://git.exim.org/exim.git/commit/4090d62a4b25782129cc1643596dc2f6e8f63bde Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ